For many years, the IT world has been migrating to 'cloud' computing, and managed services are an excellent offering for many organizations. Among the various types of services, managed security services is a viable option. For a monthly fee, a third party can manage many levels of security services at a far greater cost than a single employee, and also by having multiple specialists a managed security company can provide defense in depth to subscribers.
This kind of service is now gaining acceptance as a opportunity for managed physical security. Many organizations would rather not have a security solution that requires a server that needs to be managed, training and retraining of personnel and the other sometimes cumbersome duties of having a world-class security solution. And, compromise on physical security is an accident waiting to happen so that is a painful option. For many organizations, having a physical security vendor that provides a service to outsource many of the maintenance headaches is an attractive alternative.
New employee? Send the information via email and get the credentials created and access assigned. Problem with the system? Technical staff will see the problem and take remediation steps immediately. Reports required to document an event? Simply email and have the report generated for you.
These types of systems also allow for the end user to connect to their management interface through a secure webpage and administer the system themselves. Many items such as unlocking doors, setting timed events and irregular closings happen on a regular basis. The customer can tend to these matters personally, or have the security provider administer them as well.
These systems have been around for quite some time, and there are some successful building management companies providing this service. Up until very recently, these providers used their completely proprietary systems. This solution can be problematic, as once the system is installed, the customer is stuck with that one vendor for the life of the system. Now more competition has entered the field by bringing non-proprietary systems into the workplace.
The more attractive solution of using readily available parts, and systems that have wide acceptance give the end user more power over their security choices. A customer can choose the product that is best suited to their needs, without locking themselves into 'one vendor, one solution' traps. The local hardware can be serviced by a number of integrators, and if your desire for better customer service becomes great enough, switching vendors does not require the expense of a new system.
This solution only requires that the vendor of choice has very strong networking personnel. The solution runs over the internet, and problems that arise are most often a connectivity issue. Only well trained and experienced network engineers can make these systems perform at the highest possible function. This is the best way to ensure utility, continuity and essential interaction.
Systems and Technology
Thursday, January 12, 2012
Tuesday, December 7, 2010
Video Post
This video is a bit long, but in it, I discuss several points about physical security providers and the technologies that enable security integration, and where some of this is going.
It takes a while to load, and the quality is that of a quick webcast.
Thanks for watching.
It takes a while to load, and the quality is that of a quick webcast.
Thanks for watching.
Thursday, July 22, 2010
You are only as good as your last backup.
Image via Wikipedia
Those are commonly used words, but think about it for a second. Is your backup timely, available and worthwhile? When catastrophe strikes, what is on the backups you have? Do you have off-site plans, so that in case your servers are destroyed, your business is not? Have you ever backed up and then restored onto a new machine? Have you implemented a process where you regularly test your backups to see if you can use them?Backups are like a nuclear bomb; unless you have run a successful test, you don't have one.
I am often called to work at company locations where the servers have dust collected over the last decade, tape media which has been used over the life of the machine without getting rotated out, and nothing off-site. As I am looking in horror at the task ahead of me, the principals of these companies re telling me how critical the systems are to their business. This is also true of many enterprises, where although backups abound, they have not been tested on a regular basis.
This problem, like many technology solutions has no one right answer. The answer depends upon the criticality of the data, your acceptable level of downtime, and the cost and complexity that you are willing to accept for the solution. The rule of thumb for any organization, as long as they use computers and software, is to have one regular backup on site, and another one at a remote location.
Local or onsite backups can either go to a disk array specifically for backups or to a tape, where data is backed up on a regular basis. The first step in any backup is to do a full backup, which copies down everything as it is onto backup media. This is not a once-and-done type of backup, and should be performed regularly. Monthly, or quarterly full backups are acceptable, but doing an annual full backup, while fine for non-critical information, is not recommended for your most critical data. Your accounting database, any operational software, and email data is usually the most sought after subsequent to a system crash and therefore is generally the most critical.
After a full backup is performed, then differential or incremental backups can follow. Differential backups will look at the data and see what has changed since the last backup, and then only back up the changes. An incremental backup is roughly the same, except that when restoring you would first restore the full backup and then the incremental backups sequentially. There are many other differences besides that, but I’m trying to keep this as a blog for the masses, not just for geeks.
These backups also need to be done to a remote location, often a hosted backup service. There are quite a few vendors out there for this, one of them has famous commercials where people put their laptops in the microwave or get hit by falling satellites. Many larger organizations have this policy in place where there is a remote site that backs up the data and serves as a data repository or redundant data center. The insurance policy that this buys for a company is worth every penny. The onsite backup procedures are helpful when a file is lost, something gets corrupted or a server crashes. But what if the physical location of the server area is inaccessible or destroyed? Without a reliable offsite backup, your company may never recover.
The key to backing up your data is to test a restoral of your data regularly. Until you do that, you cannot be sure if everything is working correctly. Depending on your company’s tolerance for risk, this could be done monthly, quarterly or at worst annually. If this is done as a policy regularly, then good procedures about how to get systems back online will be easily developed, and in a time of crisis you will have assurance that at least the systems can come back up.
Related articles by Zemanta
- Online vs Offline Data Backup: Part 1 (brighthub.com)
- City of Ettlingen Chooses "Hassle-Free" Virtualized Backup and Restore from Vizioncore (eon.businesswire.com)
Friday, July 16, 2010
Risk Assessment
Risk management, or really risk mitigation, is a relatively new science, but one that has real value if handled properly. The goal of managing risk is to ensure that the confidentiality, availability and integrity of your assets is intact regardless of the situation. The fundamental first step in managing risk is to first thoroughly identify what all of the risks are, without turning a blind eye to anything through a risk analysis. There are many aspects to performing a risk analysis for your assets, and one of the most widely used methods that can capture those aspects in a meaningful way is to perform a qualitative risk assessment. This method is scenario driven, and ranks the seriousness of risks and also the sensitivity of assets into easy to understand classes or grades.
It is important to assign a subjective assessment of risk to specific assets. To do this, a group should participate in the process, and the person responsible for maintaining the asset should be involved. This can be conducted through meetings, brainstorming sessions or a thorough questionnaire that can help protect anonymity and therefore enable complete openness.
Basic steps for performing an assessment should include;
1. List all of the organization's critical assets in a spreadsheet.
2. Specify threats and vulnerabilities for that asset.
3. Develop a consistent exposure severity scale to cover all assets
4. Organize the list based on the priority of most critical to the least.
5. Prioritize funds to mitigate risks based upon the critical nature of the asses and threat.
6. Ensure that the assets achieve a much lower exposure.
Often, it seems easier to handle events as they arise, since the frequency of negative events is very low and does not seem to justify the costs. The value proposition here is to reduce the possibility of impact to the business. If is helpful to avoid situations by understanding;
-What is at risk
-The value that is at risk
-The kind of threats that could occur and their annualized financial consequences
-What can be done to reduce risks and the acceptable costs of doing so
Risk assessment also enables a strategic approach to risk management, and could produce critical decision support information when changes or upgrades to the existing infrastructure are being considered. Only when the risks are fully understood can mitigation of risk take place. It is possible to put in safeguards that can protect against more than one threat, but the best safeguards cannot be accurately chosen without careful analysis of the challenges and threats.
Score | Damage | Trigger Time | Potential Impact |
High | Critical | Minutes to Hours | Loss of life, failure of business, legal charges |
Medium | Disruptive | Hours to Days | Bad PR, loss of customers,loss of prestige, loss of income |
Low | Moderate | Days to Weeks | Requires workaround, reduction in output |
It is important to assign a subjective assessment of risk to specific assets. To do this, a group should participate in the process, and the person responsible for maintaining the asset should be involved. This can be conducted through meetings, brainstorming sessions or a thorough questionnaire that can help protect anonymity and therefore enable complete openness.
Basic steps for performing an assessment should include;
1. List all of the organization's critical assets in a spreadsheet.
2. Specify threats and vulnerabilities for that asset.
3. Develop a consistent exposure severity scale to cover all assets
4. Organize the list based on the priority of most critical to the least.
5. Prioritize funds to mitigate risks based upon the critical nature of the asses and threat.
6. Ensure that the assets achieve a much lower exposure.
Often, it seems easier to handle events as they arise, since the frequency of negative events is very low and does not seem to justify the costs. The value proposition here is to reduce the possibility of impact to the business. If is helpful to avoid situations by understanding;
-What is at risk
-The value that is at risk
-The kind of threats that could occur and their annualized financial consequences
-What can be done to reduce risks and the acceptable costs of doing so
Risk assessment also enables a strategic approach to risk management, and could produce critical decision support information when changes or upgrades to the existing infrastructure are being considered. Only when the risks are fully understood can mitigation of risk take place. It is possible to put in safeguards that can protect against more than one threat, but the best safeguards cannot be accurately chosen without careful analysis of the challenges and threats.
Related articles by Zemanta
- Model for evaluating value at risk for (slideshare.net)
- Risk Management Risk Management Outline: (slideshare.net)
- IT risk assessment frameworks: real-world experience (deurainfosec.com)
Friday, July 9, 2010
The Human Firewall
Social engineering is an attack on your greatest asset, defense and weakness; The Human Firewall. There are people who practice this as a means to bypass all of the electronic defenses that have been put in place to stop someone from coming into the network through the internet. All of the time and money and effort to put the logical and physical perimeter defense can be for nothing. It's also the most insidious attack, since it is targeted specifically against one company, or even one person in particular.
Most attacks take time, since the social engineer has to do some homework before expecting to gain access or having a successful breach. The ease of doing the recon phase has also been greatly aided by technology. Google maps, social networking sites and even your company's website can provide valuable information to an attacker. The social engineer can then gain further insight by learning employee's names from their badges at local restaurants or coffee shops. Also from late night calls into the company, where they can learn a great deal more information from the messages on employee's voice mail message.
Eventually, they can learn enough to pose as a repairman from one of your vendors, a fictitious appointment, or even could drop a targeted USB key or CD/DVD from a vendor where it could be run from inside the company. There are also many more attacks, but this is a blog about prevention, and I would be more than happy to discuss those offline. The best way to defeat the attack is before it can get all the way in.
The key to thwarting any kind of attack is to keep the human firewall updated. Good education alone is a huge help, but not enough. Like any good plan, it needs to be tested so that corrections can be made to what you are doing. Also, making policies and procedures for people to follow make it very easy for employees to understand some basic guidelines of protection. This is great for the employee personally, since protecting their privacy is in their own best interests as well. Privileges for individuals should never be more than is required to do their job. The Director of Finance, Receptionist and Warehouse Manager all need access and data access rights to do their jobs, which is all very different from each other and should be set up that way.
Social engineering is not always obvious, since it is meant to be very subtle and play on emotions and habits that people strive to have. This isn't an automated attack that is run from a distance against your network, but is meant to facilitate a technological breach up close and in person. Social engineering attacks take time to set up, develop, and execute. Like most criminals, when faced with a system that is defending well and the risk of getting caught is high; the social engineer will eventually lose patience and move on.
Most attacks take time, since the social engineer has to do some homework before expecting to gain access or having a successful breach. The ease of doing the recon phase has also been greatly aided by technology. Google maps, social networking sites and even your company's website can provide valuable information to an attacker. The social engineer can then gain further insight by learning employee's names from their badges at local restaurants or coffee shops. Also from late night calls into the company, where they can learn a great deal more information from the messages on employee's voice mail message.
Eventually, they can learn enough to pose as a repairman from one of your vendors, a fictitious appointment, or even could drop a targeted USB key or CD/DVD from a vendor where it could be run from inside the company. There are also many more attacks, but this is a blog about prevention, and I would be more than happy to discuss those offline. The best way to defeat the attack is before it can get all the way in.
The key to thwarting any kind of attack is to keep the human firewall updated. Good education alone is a huge help, but not enough. Like any good plan, it needs to be tested so that corrections can be made to what you are doing. Also, making policies and procedures for people to follow make it very easy for employees to understand some basic guidelines of protection. This is great for the employee personally, since protecting their privacy is in their own best interests as well. Privileges for individuals should never be more than is required to do their job. The Director of Finance, Receptionist and Warehouse Manager all need access and data access rights to do their jobs, which is all very different from each other and should be set up that way.
Social engineering is not always obvious, since it is meant to be very subtle and play on emotions and habits that people strive to have. This isn't an automated attack that is run from a distance against your network, but is meant to facilitate a technological breach up close and in person. Social engineering attacks take time to set up, develop, and execute. Like most criminals, when faced with a system that is defending well and the risk of getting caught is high; the social engineer will eventually lose patience and move on.
Related articles by Zemanta
- For Cyber Gangs, Fooling Google Isn't That Hard to Do (cbsnews.com)
- Phishing, Spam Containing Malware Increase (informationweek.com)
- Hi! I'm a security researcher, and here's your invoice (zdnet.com)
Monday, July 5, 2010
What in the world is a Bot?
Image via Wikipedia
The computer vernacular has given us many terms, but Botnet describes something that everyone should be aware of. Also known as Ghostnets or Zombie Farms, Botnets are used for malicious activity, the types of which this blog usually talks about. Individual computers are infected with a virus that is under a command and control structure, turning them into 'Bots', short for robots. This virus can be as simple as in an email or code on a website, and once installed can be very difficult to detect and eradicate. The bot is then grouped together with other bots to perform malicious activity, such as sending out spam email or 'Denial of Service' attacks.Now while all of this seems harmless, consider what is happening. Someone with bad intentions owns your machine more than you do, and uses it to attack the livelihood of others. These people can rent out their botnets to other criminals to send out spam, or use them for direct attacks on companies as they demand ransom. These endeavors can be lucrative, so the practice continues.
Also consider that sometimes it can be state sponsored terrorism or spying. The attack on the Dalai Lama started out among supporters of Tibet through an email hack and wound up infecting over 12,000 computers in many different countries' embassies and consulates. The Dutch police found a 1.5 million node botnet, and the Conficker virus created over 10 million bots around the world. Many of these networks have scaled back to elude detection to below 20,000 machines, but big networks still exist and operate.
Aside for the things such as spam and credit card fraud that these systems are often used for, there are other implications which also bear looking at. The attack on the Pentagon in 2007 created immense collateral damage to machines around the world, mostly here in the US as botnets ramped up and attacked the firewalls of the Pentagon. This created an immense slowdown of the internet as vulnerable systems were converted into soldiers in the attack. The spike in traffic went well over the normal 60TB of data that is moved on the internet each day, creating a global slowdown and disruption of everything from commerce and banking to every other use the internet has.
These can be avoided quite simply for now with some basic maintenance to the average computer and user:
1. Patches and Updates. Seems simple, but so often either overlooked or just not done.
2. Firewalls (Hardware and Desktop) are configured correctly and monitored.
3. Anti-virus is everywhere.
4. Policies, guidelines and procedures, and then education about those same items. It is helpful to write in a manual that a user should not pick up a found USB key and insert into their company desktop. It's more helpful if the employee is instructed that the policy exists and why.
Another simple fix is to outsource your security. Many of the attacks that are well documented are inside jobs. Rio Tinto in 2009, Societe Generale in 2008 were both billion dollar losses because the people inside the company had access, knowledge and privileges. By finding a trusted partner to handle either the total security defense, or to provide oversight of the internal resources, a savvy businessman can ensure that all threats inside and out are being carefully handled.
Related articles by Zemanta
- The Enemy Within: What is Conficker's Botnet For? (theatlantic.com)
- The Enemy Within (Conficker Worm) (theatlantic.com)
- Tequila botnet auto-destructs (go.theregister.com)
Tuesday, June 8, 2010
IT Security Breaches
I took some time this week to look at data breaches for this blog, and am completely amazed at the commonplace happening of data exposure. AT&T, NYC Department of Education, and many other big names have been in the news just within the last month. 222 million records were breached in 2009. Many of the people affected have still not been notified of the breaches concerning their data.
Data breaches have become all too common, and what was once enough of a scandal to bring down the company that had a breach is now looked at as just news. Data privacy is one of the most important goals of IT security. Financial malfeasance such as robbing banks is the number one crime, but the theft and loss of Personally Identifiable Information, or PII, should be second only to this crime in scope and importance. The loss of this data can cause such havoc to the people affected by a breach is very real and of major value.
The combination of breaches, such as taking one list and comparing it to one or more stolen lists is the nightmare scenario for any consumer. If matches are found, which is an inevitable occurrence, the consequences of having all relevant PII about a collection of individuals is very real. The problem that so many people and organizations fail to realize, is that just a fraction of these ARE fully or partially exploited, and the cost is easily in the billions of dollars for the combined group affected. Without getting into too many details, criminals or foreign agents could in effect completely become another real person, or at least access the wealth, savings and credit of that person. No one person is above this risk, since from the richest to the poorest, everyone is on thousands of electronic lists.
Right now it is estimated that fully two thirds of the companies in America lack a database security plan. Many of these do so at their peril, by putting too much faith in the firewall, or other singular methods of security. The resulting scandal from a small local business is much worse than for AT&T, which has a prepared legal and PR team at their disposal. They also do it at our peril, since the data that gets taken often is of a deeply personal nature.
Remedies are not easy, cheap, or fast. They are necessary.
1. Practice security-in-depth. Look at the physical security, firewall, internet filters, anti-virus programs and policies as one unit working together. Enforce tough policies across the organization, harden the systems, and deal with shortcomings honestly and as a priority.
2. Have a regular review of your security posture, at least annually, to ensure that the evolving nature of the threat doesn't advance beyond you.
3. Test your procedures. Hire someone to test you defenses, and see what happens. This could be done in-house, but it's only truly been tested if someone outside your organization tries.
When I looked at data breaches this week, I could also tell how seemingly small a problem this is to be reported on. Most breaches flare up on the news channels, but the bigger companies hunker down and weather the days of bad publicity. Soon something else will comae along like the Gulf of Mexico tragedy to put the average American into overload. A culture of prevention and security needs to surround this part of our lives. I have tried to avoid sounding like a full-on advertisement on this blog, but this should be a driving force to get security professionals involved. With concerted effort, and corporate buy-in, much of the problems could be avoided. With enough of a defensive posture in place, large scale attacks on multiple systems can be detected and thwarted. With enough mechanisms in place, small business can be spared the agony of getting wiped out through scandal, litigation and remediation after losing all of your customer records.
Sounds like it's worth it to me.
Data breaches have become all too common, and what was once enough of a scandal to bring down the company that had a breach is now looked at as just news. Data privacy is one of the most important goals of IT security. Financial malfeasance such as robbing banks is the number one crime, but the theft and loss of Personally Identifiable Information, or PII, should be second only to this crime in scope and importance. The loss of this data can cause such havoc to the people affected by a breach is very real and of major value.
The combination of breaches, such as taking one list and comparing it to one or more stolen lists is the nightmare scenario for any consumer. If matches are found, which is an inevitable occurrence, the consequences of having all relevant PII about a collection of individuals is very real. The problem that so many people and organizations fail to realize, is that just a fraction of these ARE fully or partially exploited, and the cost is easily in the billions of dollars for the combined group affected. Without getting into too many details, criminals or foreign agents could in effect completely become another real person, or at least access the wealth, savings and credit of that person. No one person is above this risk, since from the richest to the poorest, everyone is on thousands of electronic lists.
Right now it is estimated that fully two thirds of the companies in America lack a database security plan. Many of these do so at their peril, by putting too much faith in the firewall, or other singular methods of security. The resulting scandal from a small local business is much worse than for AT&T, which has a prepared legal and PR team at their disposal. They also do it at our peril, since the data that gets taken often is of a deeply personal nature.
Remedies are not easy, cheap, or fast. They are necessary.
1. Practice security-in-depth. Look at the physical security, firewall, internet filters, anti-virus programs and policies as one unit working together. Enforce tough policies across the organization, harden the systems, and deal with shortcomings honestly and as a priority.
2. Have a regular review of your security posture, at least annually, to ensure that the evolving nature of the threat doesn't advance beyond you.
3. Test your procedures. Hire someone to test you defenses, and see what happens. This could be done in-house, but it's only truly been tested if someone outside your organization tries.
When I looked at data breaches this week, I could also tell how seemingly small a problem this is to be reported on. Most breaches flare up on the news channels, but the bigger companies hunker down and weather the days of bad publicity. Soon something else will comae along like the Gulf of Mexico tragedy to put the average American into overload. A culture of prevention and security needs to surround this part of our lives. I have tried to avoid sounding like a full-on advertisement on this blog, but this should be a driving force to get security professionals involved. With concerted effort, and corporate buy-in, much of the problems could be avoided. With enough of a defensive posture in place, large scale attacks on multiple systems can be detected and thwarted. With enough mechanisms in place, small business can be spared the agony of getting wiped out through scandal, litigation and remediation after losing all of your customer records.
Sounds like it's worth it to me.
Related articles by Zemanta
- FBI to investigate AT&T iPad data breach (telegraph.co.uk)
Subscribe to:
Posts (Atom)